The Necurs botnet has resurfaced, with some new tricks. Notably, it’s taking a page from Mirai, and setting itself up to act as infrastructure for DDoS attacks.
According to Anubis Networks, the bot showed up about six months ago communicating with a set of IPs on a different port that the usual port 80. It also uses what appears to be a different protocol.
It’s also loading a new module—indicating that it can add new capabilities at any time.
“Necurs is a malware that is mainly known for sending large spam campaigns, most notably the Locky ransomware,” said Anubis, in an analysis. “However, Necurs is not only a spambot, it is a modular piece of malware that is composed of a main bot module, a userland rootkit and it can dynamically load additional modules (besides the spam module).”
While decrypting the C2 communication of the a Necurs bot, Anubis observed a request to load two different modules, each with a different parameter list. The first one was the spam module for which Necurs is most known, and the parameters are the C2 addresses from which it can receive new spam campaigns. The second one was an unknown module that seemed responsible for the communications Anubis saw to the new port.
Upon examination, the firm discovered that the new module issued commands that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDsS attack.
“This is particularly interesting considering the size of the Necurs botnets (the largest one, where this module was being loaded, has over 1 million active infections each 24 hours),” the company noted. “A botnet this big can likely produce a very powerful DDsS attack.”